Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Dom5
New Contributor

Cannot ping the internal interface of the Fortigate 100D

Good evening all,

 

I have a configuration that I am not sure why it does not work. 

 

This is Fortios 6.2.2

 

I attached the topology.

Static route on FTG is 

10.10.1.0/24 to 10.10.1.254

10.10.101.0/24 to 10.10.1.254

10.10.102.0/24 to 10.10.1.254

 

VLAN90 - 10.10.1.1/24 with default gateway 10.10.1.254

 

 

ping from Cisco 3750 switch to SVI interface of VLAN 101, has ping reply

ping from Cisco 3750 switch to FTG - 10.10.1.1, has ping reply

ping from PC1 to PC2, has ping reply

ping from PC2 to PC1, has ping reply

ping to 10.10.1.254 has ping reply

ping from PC2 to 10.10.1.1(FTG internal interface), has no reply

Ping from PC2 to WAN1 also has no reply

 

It seems the out going routing from different VLAN from VLAN90 will not be able to reach the internal FTG or external FTG WAN interface. 

 

Do you know why it does not be able to ping? I cannot ping 8.8.8.8 as well. 

 

PS: the ping has enabled on the interface. 

10 REPLIES 10
Toshi_Esumi
Esteemed Contributor III

Why is the default GW at the FGT toward Cisco while the internet circuit is terminated at the FGT?

Dave_Hall

Also PC2 in the attached pic is shown to be on VLAN101 (10.10.101.123).  If the Cisco 3750 is connected to a internal port on the fgt, I assume vlan sub interfaces are also configured under that interface In (on the fgt) or I am missing something?   

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
rwpatterson
Valued Contributor III

The interface between the Fortigate and the access switch needs to be a trunk unless you are routing on the access switch (which you are not since the IP subnet appears on multiple interfaces). That trunk will pass traffic on all attached VLANs between the switch and the Fortigate. You would then set up policies on the Fortigate allowing what you need. Alternatively, you could add another access port between the switch and the Fortigate with VLAN 101 passing across it.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Toshi_Esumi
Esteemed Contributor III

I think Dom5 meant to use (keep) 3750 as a router/switch (L3 mode). That's why those static routes (first one is not necessary though) are place at the FGT.

Dave_Hall

It seems the route from VLAN 90 to VLAN 101 is only on the Cisco 3750.  I am wondering what the default route is configured on PC2 (on VLAN 101)?

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
rwpatterson
Valued Contributor III

Is the Cisco routing?

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Dom5

 

 

I want to keep the intervlan on 3750 switch as this is the core switch and we want to use Fortigate as a Firewall only. 

So the internal routing is happening on the core switch. It is configure as ip routing which then can route between the vlan interfaces. 

 

 

Dom5
New Contributor

Hi Dave,

 

I have configured vlan interfaces on the switch which I want to remain the vlan interfaces there.

 

VLAN 90

interface vlan 90

ip address 10.10.1.254 255.255.255.0

 

VLAN101

interface vlan 101

ip address 10.10.101.254 255.255.255.0

 

So on PC2 (101) - I can ping to those two interfaces as I set the default gateway as 10.10.101.254. As I can ping to PC1 which on VLAN90 as the internal interface of Fortigate is reply the ping. However, I cannot ping the internal interface of Fortigate from PC2. 

 

Therefore, I am not sure where is the mistake that I have done to not make it work. 

 

 

 

Dom5
New Contributor

Hi  toshiesumi,

 

I set the default gateway for the external is 

 

0.0.0.0 to wan1. 

 

From the switch, I can ping 8.8.8.8. 

 

When I put the client behind the switch, I cannot ping the external. So I started the investigation. I found that the pinging stop after the switch which has multiple VLANs. 

 

From the Fortigate, I can ping the external network as well such as 8.8.8.8

Labels
Top Kudoed Authors